Previous Topic: Adding Claims to Trusted Identity ProvidersNext Topic: Configure the Authentication Providers

Agent for SharePoint GuideConfigure SharePointRemoving Claims from Trusted Identity Providers

Removing Claims from Trusted Identity Providers

SharePoint 2010 supports third-party identity providers. These identity providers authenticate and authorize users who request SharePoint resources. A SharePoint administrator configures a trusted identity provider for a SharePoint environment.

Claims are a form of attribute or role, that a user has. Each claim has a name to identify it, and a value that the trusted identity provider verifies by connecting to a user directory.

For example, you can configure claims that correspond to the SamAccountName attribute of an Active Directory server or a uid of an LDAP directory server.

You can remove a claim to a CA SiteMinder® trusted identity provider at any time. The following illustration describes the process:

This flowcart describes the procedures and the sequence required for removing a claim from a SiteMinder trusted identity provider

To remove a claim from a CA SiteMinder® trusted identity provider, follow these steps:

  1. Verify that your account has the required permissions.
  2. Open a SharePoint 2010 Management Shell window on your SharePoint Central Administration server.
  3. Identify your trusted identity provider.
  4. Remove the claims mapping identity from your trusted identity provider.
  5. Remove the claim type from your trusted identity provider.
  6. Update the trusted identity token issuer.

Verify that your Account has the Required Permissions

The user account with which you want to modify the CA SiteMinder® trusted identity provider requires certain permissions. Modify the permissions of your user account if it does not meet the following conditions:

Add the following privileges to your account:

Open a SharePoint 2010 Management Shell Window on your SharePoint Central Administration Server

Add claims to your CA SiteMinder® trusted identity provider using the SharePoint 2010 Management shell.

Follow these steps:

  1. Log in to your SharePoint Central Administration server.
  2. Click Start, All Programs, Microsoft SharePoint 2010 Products, SharePoint 2010 Management Shell.

    A SharePoint 2010 management shell command-line window appears.

Identify your Trusted Identity Provider

A SharePoint 2010 environment can have multiple trusted identity providers. Identify your CA SiteMinder® trusted identity provider before modifying any claims that are associated with it.

Follow these steps:

  1. Enter the following command to list all of the trusted identity providers: 
    Get-SPTrustedIdentityTokenIssuer

    A list of trusted identity providers appears.

  2. Locate your CA SiteMinder® trusted identity provider in the list.

    Your CA SiteMinder® trusted identity provider is identified.

Remove the ClaimsMapping Identity from your Trusted Identity Provider

Removing a claim from your CA SiteMinder® trusted identity provider involves several steps using the SharePoint 2010 Management Console. This example removes a claim for the last name of a user from the CA SiteMinder® trusted identity provider. Use this example as a guide to remove any claim you want from your CA SiteMinder® trusted identity provider.

Follow these steps:

  1. Enter the following command to assign the name of your <stmdnr> trusted identity provider to a variable: 
    $trutsed_identity_provider_variable_name = Get-SPTrustedIdentityTokenIssuer -Identity "name_of_siteminder_trusted_identity_provider"
  2. Enter the following command to verify that the correct item is assigned to the variable: 
    echo $trutsed_identity_provider_variable_name
  3. Enter the following command to remove the claim from the CA SiteMinder® trusted identity provider. The command shown in the following example removes a claim for the last name of a user: 
    Remove-SPClaimTypeMapping -Identity "http://schemas.xmlsoap.org/claims/lastname"  -TrustedIdentityTokenIssuer

    $trutsed_identity_provider_variable_name
  4. Repeat Step 1 to refresh the variable for the CA SiteMinder® trusted identity provider.

Remove the Claim Type from your Trusted Identity Provider

Remove the claim type from your CA SiteMinder® trusted identity provider.

Follow these steps:

  1. Enter the following command to list the claim types contained in the variable for your CA SiteMinder® trusted identity provider: 
    $trutsed_identity_provider_variable_name.ClaimTypes
  2. From the previous list, locate the claim type that is associated with the claim identity you want to remove.
  3. Enter the following command to remove the claim type: 
    $trutsed_identity_provider_variable_name.ClaimTypes.Remove("http://schemas.xmlsoap.org/claims/lastname")

    For example, the previous command removes the claim type for the last name of a user.

Update the Trusted Identity Token Issuer

Update the CA SiteMinder® trusted identity provider after removing the claim identity and the claim type.

Follow these steps:

  1. Enter the following command to update the CA SiteMinder® trusted identity provider: 
    $trutsed_identity_provider_variable_name.Update

    The trusted identity provider is updated.